 talk will be on public key identification schemes based on multivariate quadratic polynomials by Koichi Sakamoto, Taizo Shirai, and Hanonaga Hibatari. Koichi will be the speaker. Thank you, Chair. Today, I'd like to talk to you about our new identification schemes. Our motivation of this work is finding a new alternative to current standard schemes, for example, RSA, for public key identification and digital signature. Especially, we would like to provide an alternative based on a program other than factoring or a discrete log. There are a number of prior works in this area. For example, identification schemes based on permitted kernel problem, syndrome decoding problem, and lattice problem. On the other hand, we focus on another problem called M-key problem. Let's begin with what is an M-key problem? The M-key problem is solving a multivariate quadratic equation system over our finite field. Concretely, given coefficients of the equation system and the problem is finding a solution of a system, and this function consisting of various quadratic polynomials is called M-key function. And this problem is very promising problem for cryptography because of the following three advantages. First, the M-key function can be efficiently implemented. Second, the M-key function can be used as a one way function with very short output, for example, only 80 bits. And the interactability of a random instance have been well-exampled for a long time. Finally, the associated decision version of the M-key problem is NP-complete. In fact, there is no known polynomial time quantum algorithm to solve it in contrast to factoring or discrete log, which variates public key cryptography or NP-KC uses this form of function. But many existing schemes of NP-KC have already shown to be insecure. What is the reason why this happens? Existing design of much varied P-KC is based on a trapster function from composition of easily invertible maps. For example, MI scheme, HFV scheme, and UOV scheme are based on this design. In this design, a secret key consists of these three easily invertible maps. And the public key is the composite function of the three maps. The composite function is a highly limited form of M-key function. But the key recovery problem is not an M-key problem, but another problem whose interactability is still controversial. The problem is called isomorphism of polynomial problem. In fact, this causes that some schemes of NP-KC have been already shown to be insecure. So we employ a totally different design. Our design is based on their knowledge, argument of knowledge for the M-key problem. Of course, there is a trivial construction of such a protocol for any NP-language. So especially, our design is based on a non-trivial and efficient construction by using our original technique. We note that it uses not a composite function, but a random instance of M-key function. In this design, coefficients of the M-key function can be commonly used by all users. So a secret key is an input of the M-key function, and the public key is the output of the function. By using this design, you can get following two advantages. First, the key recovery problem is an M-key problem. In fact, the security of our scheme can be reduced into the interactivity of the M-key problem. Second, the size of our public key is very small. For example, 80 bits for 80-bit security. This is the summary of introduction. First, we focus on the M-key problem, which is very interactable and promising. Then, we introduce a different design than existing M-PKC. The existing M-PKC design of M-PKC is based on a telephoto function. From composition of easily invertible maps. So the key recovery problem is not an M-key problem, but another problem whose interactivity is still controversial. On the other hand, our design is based on what zero-knowledge argument of knowledge for the M-key problem. So the security can be reduced into the interactivity of a random instance of M-key problem. That was the introduction of this talk. Then, I'd like to talk about new technique and construction. Here, we consider two entities, approved by Alice and verify above. And we suppose that both of them have a common instance why of M-key problem. In this situation, approved by Alice asserts that she has a solution of the M-key problem. On the other hand, a verify above checks whether the assertion is true or not through interaction with Alice. In this protocol, if y and x used as a public key and a secret key, then this protocol can be used for a public key identification. The security can be derived from two properties, their knowledge and argument of knowledge. Roughly speaking, their knowledge implies that a verify above cannot any information on the secret key. And argument of knowledge implies that nobody can cheat above in order to construct such a protocol. A cut-on-choose approach is useful. So we review the cut-on-choose approach. In this approach, first, approved by Alice divides her secret into shares. For example, share 0 and share 1. Then, a verify above to this feature she checks, either 0 or 1. Finally, she proves the correctness of the chosen share without revealing her secret itself. For example, a proof of Alice reveals the secret at the share i. Then, a verify above checks the correctness of the share i. For this approach, we should solve how to divide a secret key into shares and how to check the correctness of each share. A property of homomorphism is useful for this approach. For example, in the case of modular exponentiation, if a secret key x is divided into two shares, R0 and R1, then a public key to the power x is correspondingly divided into two parts, each of which is verifiable from either R0 or R1. But the M-cube function is not homomorphism. So we introduce our new original technique for the M-cube function. For our M-cube function F, we consider a situation where a secret key is x and the public key y is f of x. In this situation, you can find the U-through property of the M-cube function. That is, the associated polar form G of the M-cube function F is by linear function. The polar form G is this form of function. By using the U-through property, we can divide a secret key into three shares. First, we divide the secret key x into R0 and R1. Consequently, the public key y is also divided as this equation. Second, we further divide the information on R0. That is, R0 is divided into T0 and T1. And F of R0 is also divided into E0 and E1. Consequently, a public key y is divided as this equation. So the secret key x is divided into the three shares. Here, we note that this part is verifiable from share 0 and share 1 as share 2. And this part is also verifiable from share 1 and share 2. Moreover, no information on the secret key x can be extracted from only two out of the three shares. Using this technique, we construct a protocol. This is our basic protocol. First, approval Alice divides her secret x into three shares. Then, she commits these values. Finally, a verifiable bar chooses a challenge 0. Then, approval Alice reveals share 0 and share 1. If a verifiable bar chooses a challenge 1, then approval Alice reveals share 1 and share 2. Finally, a verifiable bar chooses challenge 2. Then, Alice reveals share 0 and share 2 for the security, which can show the following theorems. First, this protocol is statistically zero-knowledge when the commitment scheme is statistically hiding. Second, this protocol is argumental knowledge for the MQ program with knowledge error two-thirds when the commitment scheme is computationally binding. So the commitment scheme is statistically hiding and computationally binding. Then, this protocol is statistically zero-knowledge argumental knowledge for the MQ program with knowledge error two-thirds. And such a commitment scheme can be constructed from a collision-resistant hash function. For public identification, this protocol should be repeated a number of times because the knowledge error of the protocol is two-thirds. So here, we consider two types of composition, sequential composition and parallel composition. The sequential version of our scheme achieves the security against active attack. The security model supposes an attacker who can interact with an honest prover. On the other hand, the parallel version of our scheme achieves the security against active attack. But the security model supposes only eavesdropper. So the sequential version of our scheme satisfies higher security requirements. But if underlying MQ function is substantially compressing, for example, a map from 160 bits to 80 bits, the parallel version of our scheme also achieves the security against active attack. We compare with public identification schemes based on another program whose associated decision version is NP-complete. Especially, we consider the schemes from three-part still-knowledge argumental knowledge. This table shows the public key size for 80-bit security, the communication data size, the number of arithmetic operations, and required random permutation. These figures are in the case that the protocol is repeated until the impersonation probability is less than 2 to the power of minus 30, which is less than 1 billionth. As you see, the performance of our scheme is highly comparable, especially the public key size is very small, only 80 bits. In addition, our schemes doesn't require any random permutation. Finally, we summarize this work. We propose public key identification schemes based on our MQ program through new design, which is totally different from existing MQC. Technically, the design is based on their knowledge, argument of knowledge for the MQ program. And the advantages of our scheme are the security and the public key size. The security can be reduced into the interactivity of a random instance of MQ program. And the size of our public key is very small. For example, only 80 bits for 80-bit security. Another application, a digital signature scheme based on the MQ program can be also realized. Thank you for your attention. So we have time for one question. OK, so let's thank our speaker again.